ZxShell

Malware updated 3 months ago (2024-06-03T17:17:32.202Z)

Download STIX

Preview STIX

ZXShell is a malicious software (malware) that has been used by various cyber threat actors to exploit and damage computer systems. It is known to be associated with other malware such as PANDORA, SOGU, GHOST, WIDEBERTH, QUICKPULSE, FLOWERPOT, QIAC, Gh0st, Poison Ivy, BEACON, HOMEUNIX, STEW, among others. The malware can infect systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. Advanced Persistent Threat (APT) groups like APT27 and APT20 have used ZXShell, employing spear phishing and strategic web compromises as initial attack vectors. The ZXShell backdoor was previously used by the HiddenLynx/APT17 group. However, since the source code of ZXShell is now publicly available, this does not definitively link these two groups. The malware is also linked to a variety of other malicious tools including China Chopper web shell, Gh0st RAT, HyperBro, PlugX, SysUpdate, and more. These tools are used to exfiltrate high-value information and maintain persistent access to sensitive systems over long periods of time. The threat actors in recent campaigns have been observed using an updated version of the ZXShell rootkit, indicating continuous development and enhancement of the malware. ZXShell employs a unique method for communication by hooking the NtWriteFile API and recognizing five different special handle values as commands. It primarily functions as a Remote Administration Tool (RAT), allowing the threat actor to have continuous backdoor access to the compromised machine. Some observed rootkit samples include an embedded variant of the ZXShell backdoor. This, combined with its ability to disable antivirus software, makes ZXShell a formidable threat. Its ongoing use and development underscore the need for robust cybersecurity measures and constant vigilance.

Description last updated: 2024-06-03T16:18:30.955Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Rootkit

Apt

Loader

Symantec

Malware

Antivirus

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Lancefly	Unspecified	5	Lancefly, a threat actor potentially associated with China, has been identified as the group behind an ongoing cyberespionage campaign targeting organizations in South and Southeast Asia. The targets include government bodies, aviation companies, educational institutions, and telecommunication secto
APT41	Unspecified	5	APT41, a threat actor attributed to China, has been actively targeting organizations in at least 14 countries since 2012. The group is known for its use of an extensive range of malware, with at least 46 different code families and tools observed in their operations. They are associated with various
APT17	has used	2	APT17, also known as Tailgator Team and Deputy Dog, is a threat actor suspected to be affiliated with the Chinese intelligence apparatus. This group has been associated with various aliases including Winnti, PassCV, Axiom, LEAD, BARIUM, Wicked Panda, and GREF. The primary targets of APT17 are the U.

Source Document References

Information about the ZxShell Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Checkpoint	3 months ago	Inside the Box: Malware’s New Playground - Check Point Research
CERT-EU	a year ago	Cyber Security Week in Review: September 29, 2023
CERT-EU	a year ago	China-Linked Budworm Targeting Middle Eastern Telco and Asian Government Agencies
CERT-EU	a year ago	Lancefly APT Custom Backdoor Targets Government and Aviation Sectors
CERT-EU	a year ago	安全事件周报 2023-05-15 第20周 - 360CERT
CERT-EU	a year ago	Шпионский код под Windows-системы госструктур и авиакомпаний оставался незамеченным пять лет
MITRE	2 years ago	Threat Spotlight: Group 72
MITRE	2 years ago	Advanced Persistent Threats (APTs) \| Threat Actors & Groups
MITRE	2 years ago	Threat Spotlight: Group 72, Opening the ZxShell
Flashpoint	a year ago	No title
CERT-EU	a year ago	Lancefly APT targets government, aviation sector with custom backdoor
CERT-EU	a year ago	Year-long Cyber Campaign Reveals Potent Backdoor and Custom Implant, \| IT Security News
Securityaffairs	a year ago	Lancefly uses powerful Merdoor backdoor in attacks on Asian orgs
CSO Online	a year ago	New APT targets South and Southeast Asia with custom-written backdoor
CERT-EU	a year ago	Lancefly: новый шпион в киберпространстве неизвестного происхождения
CERT-EU	a year ago	Lancefly APT Targeting Asian Government Organizations for Years
BankInfoSecurity	a year ago	Threat Actor Uses Merdoor Backdoor to Hit Asian Orgs
CERT-EU	a year ago	Anomali Cyber Watch: Lancefly APT Adopts Alternatives to Phishing, BPFdoor Removed Hardcoded Indicators, FBI Ordered Russian Malware to Self-Destruct
CERT-EU	a year ago	Lancefly APT Hackers Using Custom Backdoor to Attack Government Orgs
CERT-EU	a year ago	Sophisticated Merdoor backdoor long used in Lancefly APT attacks